Introduction

The Cisco AnyConnect Secure Mobility client for Apple iOS provides seamless and secure remote access to enterprise networks. The client allows any installed application to communicate as though connected directly to the enterprise network.

The App Store provides the installation application and all updates. The Cisco Adaptive Security Appliance (ASA) is the secure gateway that admits access to the VPN, but it does not support updates of AnyConnect for Apple iOS.

AnyConnect for Apple iOS is similar to AnyConnect for Windows, Mac OS X, and Linux. Your organization may provide additional documentation on using AnyConnect on Apple iOS.

Apple iOS Devices Supported

Device

Apple iOS Release Required

iPad Air

7.0 or later

iPad 2

6.0 or later

iPad (3rd generation)

6.0 or later

iPad (4th generation)

6.0 or later

iPad mini

6.0 or later

iPad mini (with Retina display)

7.0 or later

iPhone 3GS

6.0 - 6.1.6

iPhone 4

6.0 - 7.1.2

iPhone 4S

6.0 or later

iPhone 5

6.0 or later

iPhone 5C

7.0 or later

iPhone 5S

7.0 or later

iPhone 6

8.0 or later

iPhone 6 Plus

8.0 or later

iPod Touch (4th generation)

6.0 - 6.16

iPod Touch (5th generation)

6.0 or later

Note AnyConnect on the iPod Touch appears and operates as on the iPhone. Use the iPhone User Guide for Cisco AnyConnect Secure Mobility Client for this device.

Installing or Upgrading AnyConnect

Installing AnyConnect

Step 3 In the Search Box, enter anyconnect and tap cisco anyconnect in the Suggestions list.

Step 4 Tap AnyConnect .

Step 5 Tap Free, then INSTALL APP.

Step 6 Select Install.

Upgrading AnyConnect

Upgrades to AnyConnect 3.0 are managed through the Apple App Store. After the Apple App Store notifies users that the AnyConnect upgrade is available, follow this procedure.

You must do the following before upgrading your device:

Disconnect an AnyConnect VPN session if one is established. If you fail to do this, AnyConnect requires a reboot of your device before using the new version of AnyConnect.

Close the AnyConnect application if it is open.

Note If the Apple iOS Connect On Demand feature is used on your device to make VPN connections automatically, you must launch the AnyConnect app and establish a VPN connection immediately after upgrade. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message “The VPN Connection requires an application to start up” will display.

Step 1 Tap the App Store icon on the iOS home page.

Step 2 Tap the AnyConnect upgrade notice .

Step 3 Read about the new features.

Step 4 Click Update .

Step 5 Enter your Apple ID Password .

Step 6 Tap OK .

The AnyConnect upgrade proceeds.

Device Localization

The following language translations are included in the AnyConnect package:

Czech (cs-cz)

German (de-de)

Latin American Spanish (es-co)

Canadian French (fr-ca)

Japanese (ja-jp)

Korean (ko-kr)

Polish (pl-pl)

Simplified Chinese (zh-cn)

Localization data for these languages is installed on the Android device when AnyConnect is installed. The displayed language is determined by the locale specified in Settings > General > International > Language . AnyConnect uses the language specification, then the region specification, to determine the best match. For example, after installation, a French-Switzerland (fr-ch) locale setting results in a French-Canadian (fr-ca) display. AnyConnect UIs and messages are translated as soon as AnyConnect starts. The selected localization is noted as Active in the AnyConnect Localization Management screen.

Getting Started with AnyConnect

Client User Interface

If you tap the AnyConnect icon on the iPhone or iPad home screen, the AnyConnect home screen opens:

Step 1 Tap the Cisco AnyConnect Secure Mobility Client icon.

A confirmation opens the first time you start AnyConnect on the device.

Step 2 Tap OK .

AnyConnect shows the VPN connection status in the AnyConnect home screen. Figure 1 shows the AnyConnect home screen for the iPhone. Figure 2 shows the AnyConnect home screen for the iPad.

The AnyConnect home screen lists the names of the VPN connection entries stored on the device, and lets you add new VPN connection entries. The slider switch near the top lets you establish a VPN connection using the connection entry indicated by the check mark. The Status parameter shows the state of the VPN connection.

The tab bar at the bottom of each iPhone display provides navigation icons for the Home, Statistics, Diagnostics, and About windows. The iPad AnyConnect home screen integrates these functions.

Figure 1 iPhone AnyConnect home screen

Figure 2 iPad AnyConnect home screen

Table 1 shows the differences between AnyConnect for the iPhone and the iPad.

Table 1 Differences between the iPhone and iPad AnyConnect UI

Feature

iPhone

iPad

Home—Opens when you tap the AnyConnect icon.

Displays VPN Connection controls.

Also accessed by tapping the Home icon at the bottom of the AnyConnect screen.

VPN Connection controls are in the upper left of the AnyConnect home screen.

This screen remains on-display.

Statistics—Connection Status Overview

Tap the Statistics icon at the bottomon the bottom ofthe screen in the iPhone AnyConnect app.

Status Overview panel in the lower left of the AnyConnect home screen.

Statistics > Details

Tap Details in the Statistics screen.

Tap Details in the Status Overview panel on the AnyConnect home screen.

Settings

Tap the Settings icon at the bottom of the screen in the iPhone AnyConnect app.

Tap Settings in the Status Overview panel on the AnyConnect home screen.

Diagnostics

Tap the Diagnostics icon in the tab bar to view or delete certificates, profiles or localization data stored on your device, turn on debug logging, and view and manage AnyConnect logs.

Tap the Diagnostics button on the AnyConnect home page to view or delete certificates, profiles or localization data stored on your device, turn on debug logging, and view and manage AnyConnect logs.

About—Displays the AnyConnect version and licensing details, and link to the user guide.

Tap the About icon at the bottom of the AnyConnect screen.

Tap About at the top right of the AnyConnect home screen.

Bandwidth graphs (bytes received and bytes sent).

Tap Statistics > Graphs to see a graphical representation of bytes received and bytes sent.

Tap Graphs near the top right of the AnyConnect home screen.

Step 3 Before establishing your first VPN connection, you must add a VPN Connection Entry to select. Example 1, Example 2, and so on in the figures above are configured connection entries. Follow the instructions provided by your administrator to configure a connection entry. They may involve the following activities:

Displaying Help

AnyConnect displays an information icon ( i ) on the lower right corner of the screen if help is available.

Tap this icon to display help information about the current options.

Alternatively, tap About in the lower right corner of the AnyConnect home screen to display a link that provides access to this guide.

What You Need Before You Set Up AnyConnect

You must obtain one or more of the following from your system administrator, depending on your network requirements, before you set up AnyConnect to establish a VPN session:

Server Address—Domain name, IP address, or Group URL of the Cisco Adaptive Security Appliance to be used as the VPN secure gateway.

Username and password—Credentials needed to access the VPN.

Alternatively, your system administrator may supply a link on your corporate network that you tap to add the required connection entries to your iPhone.

The Apple iOS Connect On Demand feature, if used, supports the automation of a VPN connection as needed by the applications on your device. However, you must install a digital certificate on the device first. The certificate must be one that the secure gateway accepts. Your system administrator determines which certificate the secure gateway accepts for its respective group URLs.

If you are not using any other form of authentication, it is best to use a Group URL supplied by your system administrator.

Connecting to a VPN

Adding a VPN Connection Entry

These instructions may be unnecessary if your system administrator supplied you with a webpage link to tap to add connection entries to the AnyConnect configuration.

Before attempting to establish a VPN connection, add a VPN connection entry to identify the Cisco secure gateway, as follows:

Step 1 Tap Add VPN Connection in the AnyConnect home screen. The Add VPN Connection screen shows the initial VPN connection parameters. Tap Cancel to cancel the configuration process at any time or tap Save to save the connection entry.

Step 2 (Optional) Tap Description to enter a unique name for the connection entry.

This name appears in the connection list of the AnyConnect home screen. We recommend using a maximum of 24 characters to ensure they fit in the connection list. Use letters, spaces, numbers, or symbols on the keyboard. AnyConnect retains the letters in the upper- or lower-case letters you specify. For example,

Example 1

Step 3 Tap Server Address to enter the domain name, IP address, or Group URL of the Cisco Adaptive Security Appliance with which to connect. For example,

vpn.example.com

Step 4 Tap Advanced to open the advanced VPN connection parameters.

Tap Add VPN Connection at any time in this window to return to the initial configuration window to cancel or save the connection entry.

Step 5 (Optional) Configure Network Roaming for this connection.

Network Roaming determines whether to limit the time it takes to reconnect after the device wakes up or after a change to the connection type (such as EDGE(2G), 1xRTT(2G), 3G, or Wi-Fi).

Note This parameter does not affect data roaming or the use of multiple mobile service providers.

Tap this switch, as follows:

ON—(Default) This option optimizes VPN access. If AnyConnect loses a connection, it tries to establish a new one until it succeeds. This setting lets applications rely on a sustained connection to the VPN. AnyConnect does not impose a limit on the time it takes to reconnect.

OFF—This option optimizes battery life. If AnyConnect loses a connection, it tries to establish a new one for 20 seconds and then stops trying. You must then start a new VPN connection if one is necessary.

Step 6 (Optional) Configure certificate use for this connection.

a. Tap Certificate to show the Select Certificate screen.

b. Tap one of the following choices:

– Disabled –(Default) A client certificate is never used for authentication.

– Automatic –AnyConnect automatically chooses the client certificate with which to authenticate. In this case, AnyConnect views all the installed certificates, disregards those certificates that are out of date, applies the certificate matching criteria defined in VPN client profile, and then authenticates using the certificate that matches the criteria. This happens every time the user attempts to establish a VPN connection.

– Certificate Name — If you already have certificates installed on the device, select one to be associated with this VPN connection.

c. Tap Advanced to return to the advanced configuration window

Note If you are not going to be using certificates for authentication, do nothing to the certificate field and tap Save. The connection setting maintains the Disabled certificate setting.

If you are going to be using certificates to authenticate, do nothing to the certificate field and tap Save . Then, use the Installing a Certificate on Your Mobile Device procedure to import and configure certificate authentication for your connection profile.

Step 9 Tap the connection entry name to return to the Add VPN Connection window.

Step 10 Tap Save to retain the connection values.

AnyConnect closes the Add VPN Connection screen and adds the entry to the AnyConnect home screen.

Installing a Certificate on Your Mobile Device

In order to authenticate your device to the secure gateway using a certificate, import the certificate to your device and then associate that certificate with a connection entry. Use one of these methods to import a certificate to your Apple iOS device:

Importing and Installing Certificates with a SCEP-configured Connection Alias

Your administrator may configure a connection profile that distributes certificates using the SCEP protocol. Your AnyConnect administrator needs to provide you with the name of the VPN configuration or connection profile that uses it.

There are two methods of importing and installing certificates with an SCEP-configured connection alias:

The certificate shows a check mark to indicate it is the one selected.

Tip When you are in the Select Certificate screen, check Automatic for automatic certificate selection. AnyConnect attempts to select the correct certificate for authentication if you have more than one certificate installed on your device.

Start your VPN connection by turning AnyConnect ON in the home screen.

Configuring Connect-On-Demand Rules

The Apple iOS Connect On Demand feature lets an application such as Safari initiate a VPN connection. AnyConnect evaluates the domain requested by an application against the strings in the domain lists within the selected connection entry—the entry with the check mark next to it.

When a VPN connection is initiated via iOS's Connect on Demand, iOS disconnects the tunnel if the tunnel is inactive (no traffic through the tunnel) for a particular time interval. See Apple’s VPN On Demand documentation for more information.

Never Connect —AnyConnect evaluates domain requests for a match against the contents of this list first. If a string in this list matches the domain, Apple iOS ignores the domain request. This list lets you exclude certain resources. For example, you might not want an automatic VPN connection over a public facing Web server. An example value is www.example.com .

Note If you or the user enable Connect On Demand, AnyConnect adds the secure gateway address in the VPN configuration to the Never Connect list to prevent VPN connections from starting when you use a web browser to connect to a secure gateway. Leaving the rule in place does not have an adverse effect on Connect on Demand.

Always Connect —AnyConnect evaluates domain requests for a match against the contents of this list next. If a string in this list matches the domain, Apple iOS attempts to establish a VPN connection. The most common use case for this list is to obtain brief access to internal resources. An example value list is email.example.com .

Connect if Needed —AnyConnect evaluates a domain request for a match against this list if a DNS error occurred. If a string in this list matches the domain, Apple iOS attempts to establish a VPN connection. The most common use case for this list is to obtain brief access to an internal resource that is not accessible from a LAN within the corporate network. An example value is intranet.example.com .

Apple IOS establishes a VPN connection on behalf of an application only if all of the following are true:

A VPN connection is not already established.

An application specifies a destination by using its fully-qualified domain name rather than an IP address.

The connection entry is configured to use a valid certificate.

Connect on Demand is enabled in the connection entry.

AnyConnect fails to match a string in the Never Connect list to the domain request.

Either of the following is true:

– AnyConnect matches a string in the Always Connect list to the domain request.

– A DNS lookup failed, and AnyConnect matches a string in the Connect if Needed list to the domain request.

The domain lists specify the Connect-on-Demand rules. These rules support only domain names, not IP addresses. The domain names specified within the rules may be partial or whole domain strings. Use a comma to separate list entries. AnyConnect is flexible about the domain name format of each list entry, as follows:

Match

Instruction

Example Entry

Example Matches

Example Match Failures

Exact domain name match.

Enter the prefix, dot, and domain name.

email.example.com

email.example.com

www.example.com

email.1example.com

email.example1.com

email.example.org

Exact match of a sequence of discreet subdomains up through the top-level domain. The leading dot prevents connections to hosts ending with *example.com, such as notexample.com.

Enter a dot followed by the domain name to be matched.

.example.org

anytext.example.org

anytext.example.com

anytext.1example.org

anytext.example1.org

Any domain name ending with the text you specify.

Enter the end of the domain name to be matched.

example.net

anytext.anytext-example.net

anytext.example.net

anytext.example1.net

anytext.example.com

AnyConnect does not limit the maximum number of domains in a list.

Prerequisites

The connection entry is configured to authenticate using a valid certificate.

The connection entry is one the user created. Users cannot configure connect on demand in connection profiles downloaded from the ASA.

Detailed Steps

To configure connect on demand, follow this procedure:

Step 1 Open the AnyConnect home screen.

Step 2 In the Choose a connection... area tap the connection details icon for the connection you are going to configure for connect on demand.

Step 3 Tap Advanced to open the Advanced configuration window.

Step 4 Tap ON next to Connect On Demand.

Step 5 Tap Domain List.

The Domains screen shows the domain lists.

Step 6 Do either of the following:

Tap Add Domain to add a domain string to the list shown. The Domains screen adds a row to the list and displays an on-screen keyboard for you to enter the domain string.

Tap Edit at the top of the screen to add, edit, or delete domain strings.

This screen lets you:

Add a domain name to a list. To do so, tap Add Domain . AnyConnect adds a blank row to the list and displays an on-screen keyboard for you to add the list entry.

Move a domain name from one list to another. To do so, touch the triple-bar to the right of the domain entry and drag it to the area below the title of the destination list.

Delete—Tap the red circle to the left of the domain name, then tap Delete to the right of the domain.

Step 7 Tap Save .

Establishing a VPN connection

Prerequisites

Ensure you have a LAN connection or a connection to your service provider.

Detailed Steps

Step 1 Go to the AnyConnect home screen.

Step 2 Tap the connection entry to be used.

AnyConnect repositions the check mark next to the connection entry and disconnects any VPN connection currently in place.

Step 3 Tap ON next to AnyConnect VPN.

Step 4 If necessary, use the credentials supplied by your system administrator to log in.

Step 5 If instructed by your system administrator to do so, tap Get Certificate.

Step 6 If necessary, tap Connect .

The Status parameter reveals the new connection state

and the VPN icon is shown in the Status Bar.

Depending on the secure gateway setup, AnyConnect retrieves connection entries and adds them to the VPN connection list in the AnyConnect home screen.

Caution Tapping another VPN connection in the AnyConnect home screen disconnects the current VPN connection.

Modifying a VPN Connection Entry

You are able to modify all aspects of connection entries you create.

When the Apple iOS mobile device connects to the ASA, AnyConnect imports that VPN client profile and installs it on the device. Users cannot modify most fields in the VPN client profiles defined by an AnyConnect administrator.

Step 1 Open the AnyConnect home screen.

Step 2 Tap the detail disclosure button to the right of the VPN connection entry.

Managing Anyconnect

Specifying Application Settings

Changing the Theme

High Contrast—Alternative to the Cisco default theme. This theme emphasizes black and white, although it does use some color. It might be preferable for visually impaired users or for viewing in bright light.

To change the theme of the AnyConnect user interface:

Step 1 Inside the AnyConnect app, tap Settings > Theme.

Step 2 Tap the theme you want: Cisco Default Theme or High Contrast .

Apple iOS inserts a check mark next to the theme you selected, and changes the application theme immediatley.

Step 3 Tap Settings to return to the Settings screen.

Configuring External Control

Enabling external control allows you to click links your administrator sends you to perform such tasks as creating connections or importing certificates. It also allows Apple iOS to act on a command in a URI that was not sent by your AnyConnect administrator.

Step 1 Inside the AnyConnect app, tap Settings > Theme.

Step 2 Choose one of these options:

Disable : No external control allowed. Clicking a URI in an email or on a web page results in the following error message:

“The External Control feature is disabled. Enable it from the AnyConnect settings.”

Prompt : When the mobile device user clicks a URI in an email or web page, AnyConnect prompts the user to accept or reject a connection to the remote server with this message:

“Another application has requested that AnyConnect connect to <asa.example.com>. Do you want to allow this?”

Enable : When the mobile device user clicks a URI in an email or web page, AnyConnect executes the commands specified in the URI without interrupting the user.

Step 3 Tap Settings to return to the Settings screen,

Blocking Untrusted Servers

This application setting determines if AnyConnect automatically blocks connections if it is unable to identify the secure gateway. This protection is ON by default but can be turned OFF, this is not recommended.

AnyConnect uses the certificate received from the server to verify its identify, if there is a certificate error due to an expired or invalid date, wrong key usage, or a name mismatch, the connection is blocked.

When this setting is ON, a blocking Untrusted VPN Server! notification alerts you to this security threat.

Managing Certificates

Certificates are used to digitally identify each end of the VPN connection: The secure gateway, or the server, and the AnyConnect client, or the user. A server certificate identifies the secure gateway to AnyConnect, a user certificate identifies the AnyConnect user to the secure gateway. Certificates are obtained from and verified by Certificate Authorities (CAs).

When establishing a connection, AnyConnect always expects a server certificate from the secure gateway. The secure gateway only expects a certificate from AnyConnect if it has been configured to do so. Expecting the AnyConnect user to manually enter credentials is another way to authenticate a VPN connection. In fact, the secure gateway can be configured to authenticate AnyConnect users with a digital certificate, with manually entered credentials, or with both. Certificate only authentication allows VPNs to connect without user intervention.

Distribution and use of certificates to the secure gateway and to your device is directed by your administrator. Follow directions provided by your administrator to import, use, and manage server and user certificates for AnyConnect VPNs. Information and procedures in this document related to certificates and certificate management are provided for your understanding and reference.

AnyConnect stores both user and server certificates for authentication in its own certificate store. The AnyConnect certificate store is managed from the Diagnostics > Certificates screen.

User Certificate Management

In order for you, the AnyConnect user, to authenticate to the secure gateway using a digital certificate, you need a User certificate in the AnyConnect certificate store on your device. User certificates are imported using one of the following methods as directed by your administrator:

Imported manually from the device's file system, the device's credential storage, or from a network server.

Imported after clicking on a hyperlink provided by your administrator in an email or on a web page.

Imported when connecting to a secure gateway that has been configured by your administrator to provide you with a certificate.

Once imported, the certificate is associated with a particular connection entry, or selected automatically during connection establishment to automatically authenticate.

User certificates in the AnyConnect store can be deleted if they are no longer needed for authentication.

Server Certificate Management

A server certificate received from the secure gateway during connection establishment automatically authenticates that server to AnyConnect, if and only if it is valid and trusted. Otherwise:

A valid, but untrusted server certificate is reviewed, authorized, and imported to the AnyConnect certificate store. Once a server certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted.

An invalid certificate cannot be imported into the AnyConnect store, but is accepted to complete the current connection. This is not recommended.

Server certificates in the AnyConnect store can be deleted if they are no longer needed for authentication.

Viewing Certificates

View User and Server certificates that have been imported into the AnyConnect certificate store by doing the following:

Step 1 From the AnyConnect menu tap Diagnostics > Certificates.

Step 2 Tap the User or Server tab to view certificates in the AnyConnect certificate store.

Step 3 Use this screen to take one of these actions:

Tap the detail disclosure button for the certificate to view the certificate’s properties.

Tap the Edit button to delete the certificate.

Tap Import Certificate... to manually import a certificate.

Tap Delete All Certificates to remove all certificates from the device.

Viewing and Managing the AnyConnect Profile

The AnyConnect VPN Client Profile is an XML file that specifies client behavior and identifies VPN connections. Each connection entry in the VPN Client Profile specifies a secure gateway that is accessible to this endpoint device as well as other connection attributes, policies and constraints. These connection entries, in addition to the VPN connections configured locally on the device by the user, are listed on the AnyConnect home screen to choose from when initiating a VPN connection.

Note AnyConnect retains only one VPN Client Profile on the device at a time.

Users now have the ability to manage the AnyConnect VPN Client Profile on their device. Users perform these tasks:

Step 1 On the AnyConnect tab bar, tap Diagnostics.

The Diagnostics screen opens.

Step 2 Tap Profile .

Use this screen to take one of these actions:

Import Profile... , specify the URL of the profile to be imported.

Delete Profile , confirm this action to delete the current profile from the device

Show Profile , tap ON to show the current profile on the device

Managing Localization

Upon AnyConnect installation, your device is localized according to the configured language. See Device Localization for the list of languages supported at installation time. Additional localization management on your device is carried out based on instructions provided by your administrator.

Step 1 On the AnyConnect tab bar, tap Diagnostics.

The Diagnostics screen opens.

Step 2 Tap Localization .

Use this screen to take one of these actions:

Import Localization..., enter the server address and language to import. This localization data is used in place of the pre-packaged, installed localization data. See Importing Localization Data for the other ways to import localization data onto your device.

Importing Localization Data

After installation, localization data for languages not supported in the AnyConnect package is imported by:

Clicking on a hyperlink provided to you by an administrator that has been defined to import localization data.

Your administrator provides a hyperlink in email, or on a webpage, that imports localization data when clicked. This method uses the AnyConnect URI handler, a feature available to administrators for simplifying AnyConnect configuration and management for the user.

Note The user needs to allow this AnyConnect activity by setting External Control to either Prompt or Enable within the AnyConnect settings. See Configuring External Control for how to set this.

Connecting to a secure gateway that an administrator has configured to provide downloadable localization data upon VPN connection.

Your administrator provides you with appropriate VPN connection information, or a predefined connection entry in the XML profile, if this method is to be used. Upon VPN connection, localization data is downloaded to your device and put into play immediately.

Using the Localization Management screen to manually import localization data from a specified server. This localization data is used in place of the installed localization data. See Managing Localization for the import procedure.

– Continue to make the connection to the untrusted server, this is not recommended.

– View Details to view certificate details and decide whether to import the server certificate into the AnyConnect certificate store for future acceptance and continue the connection, or not.

Responding to “Another Application has requested that AnyConnect...Do you want to allow this?”

To protect your device, AnyConnect informs you when another application attempts to generate a connection profile, establish a VPN connection, or disconnect from a VPN For example,

To protect your device and data, ask your system administrator whether to tap OK to approve of these types of the following prompts:

Create—“Another application has requested that AnyConnect create a new connection to ‘ host ’. Do you want to allow this?”

Connect—“Another application has requested that AnyConnect connect to ‘ host ’. Do you want to allow this?”

Connect—“Another application has requested that AnyConnect disconnect the current connection. Do you want to allow this?”

Note You only receive these messages if External Control is set to Prompt. Set External Control on your mobile device by opening your device’s home page and navigating to Settings > AnyConnect > External Control.

Troubleshooting

This section describes solutions to common problems. If after trying these solutions problems still persist, contact your organization’s IT support department.

A known issue with the operating system is the cause. Apple is working to resolve it. As a workaround, try restarting the application.

Connection time-outs and unresolved hosts.

Internet connectivity issues, a low cell signal level, and network congestion often cause time-outs and unresolved host errors. If a LAN is within reach, try using your device Settings application to establish a connection with the LAN first. Retrying multiple times in response to time-outs often results in success.

VPN connection is not re-established when the device wakes from sleep.

Known Issues in Apple iOS Impacting VPN

We have reported the following iOS issues to Apple. They may be resolved in a future iOS release.

A DTLS packet received while the device is asleep does not awaken it. TLS packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.

Voice applications running in the background on an iPod Touch cannot receive packets over VPN. This functionality works as expected on iPhone devices.

If a VPN configuration contains a large number of routes or split-dns rules, the Apple device cannot establish a VPN connection. This bug occurs, for example, if, upon connection, an ASA configuration pushes a VPN split-include list that has 70 or more rules that direct traffic to individual subnets. To prevent this bug from impacting users, apply a tunnel-all configuration or reduce the number of rules.

AnyConnect may become slow or crash when there are a large number of VPN connections configured on the mobile device.

Customers who wish to tunnel IPv6 traffic need to upgrade their iPhones and iPads to iOS 5.0 or later. Known problems exist in iOS 4.3 that prevent AnyConnect from processing IPv6 traffic properly due to the inability to set default IPv6 routes.

Apple iOS Permits All Local LAN Traffic with Tunnel-all

Apple iOS permits traffic that is essential for the core operation of the device, regardless of whether a tunnel-all policy is in force. Examples of traffic that Apple iOS sends in the clear regardless of the tunnel policy include:

The VPN configurations generated by the iPhone Configuration Utility do not support Network Roaming. If your users require Network Roaming, use an AnyConnect profile.

The Apple iOS device supports no more than one AnyConnect VPN client profile. The contents of the generated configuration always matches the most recent profile. For example, if a user goes to vpn.example1.com and then goes to vpn.example2.com, the AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.

This release supports the tunnel keepalive feature; however, it reduces battery life of the device. Increasing the update interval value mitigates this issue.

AnyConnect collects device information when the UI is launched and a VPN connection is initiated. Therefore, there are circumstances in which AnyConnect mis-reports mobile posture information if the user relies on iOS’s Connect on Demand feature to make a connection initially, or after device information, such has the OS version, has changed.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.